Yesterday I received an email from my hosts saying they had received a report of email spam coming from my site. They said they had removed the offending script and suggested my site had been exploited. Like a good webmaster I logged in and checked my files. Nothing was amiss except a new directory with a random name like rbdfghydhf. I deleted the directory then started checking my server logs to see what requests had been made around the time the directory was created. I found nothing so began the process of deleting old files and scripts, which is something we should do regularly anyway.
So four hours later, after some Battlefield 4, I log back in to find a whole bunch of new directories had been made and again nothing in the logs to indicate how they were created. So I contacted my hosts and asked them to check the ownership of the directories and the files they contained. They eventually got back and told me they had been created via my FTP account from an an IP address in Poland, 188.8.131.52. Given my username and password are not simple things I scanned my computer to make sure it hadn’t been compromised. Two different anti virus programs and no malware found. Then I remembered that about a month or so ago I tested three FTP apps on my Android phone. One didn’t seem to work but the other two worked just fine after some messing with the settings. So by logical deduction I suspect this is how my account details got compromised. I checked the Play Store and only two of the three apps I tested are still listed which is another sign that this was the problem.
The moral of the story, if you need to FTP from your mobile device or anything else that requires your sites login details stick with trusted names or those that have a lot of reviews both good and bad. I was lucky but they could of done some serious damage.